Posted
by
Soulskill
on Friday June 15, 2012 @06:06PM
from the what-could-possibly-go-wrong dept.

chicksdaddy writes "A web site used to distribute software updates for a wide range medical equipment, including ventilators has been blocked by Google after it was found to be riddled with malware and serving up attacks. The U.S. Department of Homeland Security is looking into the compromise. The site belongs to San Diego-based CareFusion Inc., a hospital equipment supplier. The infected Web sites, which use a number of different domains, distribute firmware updates for a range of ventilators and respiratory products. Scans by Google's Safe Browsing program in May and June found the sites were rife with malware. For example, about six percent of the 347 Web pages hosted at Viasyshealthcare.com, a CareFusion Web site that is used to distribute software updates for the company's AVEA brand ventilators, were found to be infected and pushing malicious software to visitors' systems."

Idiot. You don't just change your operating system on a whim in a medical environment. For one thing, the hospital or other institution probably doesn't even own the device, and so has no ability to change the OS. Even if they did, the device probably can't run a different OS. And even if it could, the institution would have to validate the new OS to ensure that it performed all of its functions correctly. Yeah, just change your OS, because a hospital is pretty much the same thing as your home network!

Cool down please. The AC never said "change.... on a whim", he said: "avoid that". Besides, he's right. It's clear that anyone should avoid medical devices that need windows to update their firmware, or worse: _run_ windows.

The problem is that YOU CANNOT UPDATE because of naturally the incredible amount of red tape and testing that MUST be done on a machine on which lives depend. It wouldn't matter if it was running Windows, BSD, or Linux as there would be ZERO PATCHES applied to the machine for most if not all of its life.

That is why frankly all machines of that type need to be running a custom built RTOS with as little OS as possible, preferably just enough to do

Possibly - but the most malware-infected sites are sometimes the ones you wouldn't expect. Charities. Churches. Fraternal organizations. Anyplace where the servers are operated and maintained by volunteers who don't have a financial stake in the organization's operations, and who don't have a good background in security.

Porn sites, on the other hand, are run by businesses who expect repeat business, and can't afford to scare customers away with malware. Their sites are much LESS likely to be infected, because they have professional IT staffs.

Why would you target these out of the host of sites you should be targeting? Is this cyberwar? Or just a case of malware finding just about anything to attach too? If it is attaching to anything why was the industry not prepared for this?

I thought these people, the medical drug/supply industry in general, held themselves to higher regard than others, which translated into better business practices. I mean, they're dealing with peoples lives here.

Guess even they aren't immune from technological ineptitude and poor management.

They can be fined if any user identifiable medical data was proven to be compromised as a result of the malware.

They also have to do regular internal security scans (IE: Anti Virus scans and other steps) to ensure that they are not infected or allowing people that should not have access to the user identifiable data that they should not)

This also includes regular security training for their staff; which means that the download pages should not have had a "just click on run to install the software"

The key here is user identifiable.If someone compromises a respirator, I doubt it has the patient's name in the embedded OS.Most hospitals employ VLANs and keep medical data off those segmets -- I'm sure there's stories of patients or guests dumb enough to plug in to the ethernet jack in a hospital room for free internet.

However, shutting one of these life support devices off remotely or preventing them from operating properly is certain death. That's likely the biggest concern.

Umm, you read the summary or even the title and that is your reaction?

This is a website that releases updates to medical equipment and instead is serving up malware. The fact that Google automated software is the one that caught it and notified visitors about it is but a minor foot note. Thankfully, it doesn't seem that the firmware itself was messed with though the article is light on details.

While, definitely alarming, I wouldn't call it surprisingly however. It in the medical field is generally sorely la

This is Google's Safe Browsing function. It's their attempt to flag potentially dangerous sites. IT's not intended to block access to the site entirely, merely warn that it's been infected. It's up to the people who manage the site to fix it.

In this case it is used to publicly advertise a critical products, system and security admins failure and force immediate remedial action. Rather and embarrassing way for Google to do it but very effective and all in all, very appropriate.

Blocked by google means blocked by any browser that checks against google's safe site database before opening the page. That includes Chrome (as you might expect) and Firefox. Internet Explorer uses Microsoft's equivalent, I don't know about Opera and Safari.

A lot of sites are infected by bots who probe domains for tell-tale signs of security holes. Take a look at the logs for any website. You'll see regular GET requests from thousands of ip addresses looking for pages of well known applications (like phpmyadmin).

The site was probably running some package with a hole in it.

I run a url-shortner. Links to such compromised sites are always being further obfuscated through the shortner. It's a never ending process.

All the hospitals I worked on still use IE 6 and XP SP 2 which has not had an update in over 2 years with +100 exploits. With that and some of the most top IT and well paid infrastructures in the industry I can't see how anything could go wrong?

That is a relief. Most slashdotters here who have worked in the medical field all tell similiar stories of IE 6 or IE 5.5 on Windows 2000 still.

I assumed all the intranet apps still required XP SP 2 and IE 6 because of medical testing and the fact that it is expensive to replace equipment so why change?

I wont say the names here publically. But one is a chain with 7 or 8 locations all on the west coast. I came in for a PC Refresh project too. All new hardware for a new EPIC medical database. But the equipmen

I notice you are using the past tense, ie: worked on/in. Although not in the medical industry the multi-national I work for only got rid of IE6 on their SOE image last year. The same is true for many companies, it wasn't until win7 arrived that they started in earnest to purge their internal applications that only worked on IE6. MS lost the standards wars, consequently moving away from IE6 has been a huge headache for the business world.

The issue I am making fun of is hospitals have LARGE amounts of devices that are internet enabled like $300,000 cat scan machines that PDF and email documents and are managed only via IE 6 as they were made in a different era when that was the gold standard before Firefox was anything but a cheap amature internet thingie a half decade ago. They almost always use very obsolete platforms with 256 megs of ram, IE 6, etc. The budget analysts folks are under heavy pressure to cut costs and IT is always the cost center at the end of day.

Worse many devices have support contracts dictating you use IE 6 or IE 7 before we will even talk to you on the phone. All equipment must be medical certified which takes years to process so they are even further behind compared to vanilla corporate America. This was the case with the EPIC project I was working on.

I was dumb founded when they had me installing XP SP 2 on these new icore 5s. At least XP SP 3 gets patches. Looking at ColdWetdog's website I believe I worked for his employer possible in 2011 early last year and maybe they did plan on upgrading. If it was in Anchorage where the center facility is based I will certainly get a good laugh:-)

If they went to at least XP SP 3 by now then that is patched I will be happy. There were no talks of that at the time as I asked the IT department WTF etc. Equipment and medical software are very very expensive and is always years behind the competition. In Canada they still use Windows 2000 and IE 5.5 web apps because it is cost prohibitive to change and things like COWS (Computer On Wheels) have very narrow specifications where the company will void your warranty if you touch it.

Locking systems down to exact time frames is wrong and is negligent in this new day and age I agree. I hope McKesson and StarChart certainly do just follow standards as hospitals should be more state of the art in technology and not techno-phobic so to speak. WIth such pricy and expensive testing it makes sense to keep the budget to hire more nurses and doctors than to keep IT going if their systems are just something a secretary uses to remind patients when their next appointment is. The medical database project at least tied all of Alaska, Washington, and Oregon together with a unified patient record which now makes IT a lot more important.

Does HIPAA, SOX, etc let you push responsibility onto a vendor that you hired?

Aren't those just about money? These systems may be handling tasks where lives are at stake. But I think as far as SOX is concerned, that's not important. In the worst case somebody is going to die, it's not like any real damage would happen such as letting people get away with some financial scams. (Is slashdot trying to give me some sort of hint by choosing "lawsuit" as the capcha?)

So the site is riddled with malware, like hundreds of other sites out there I imagine. That is their webserver, which probably lives with some hosting provider somewhere and has no contact with the stuff they use for development of those medical devices.

Besides I don't really think that malware designed for whatever those servers ran will run on medical hardware..

The problem is that the malware might offer a backdoor for someone to intentionally compromise the integrity of the medical device firmware. Even if it doesn't, the fact that the site is vulnerable means somebody else who's actually skilled (unlike the dumb sks/bots) could independently obtain access for the purpose of modifying the firmware.

So the site is riddled with malware, like hundreds of other sites out there I imagine. That is their webserver, which probably lives with some hosting provider somewhere and has no contact with the stuff they use for development of those medical devices.

Besides I don't really think that malware designed for whatever those servers ran will run on medical hardware..

let's see updates framed out to a supplier that likely framed out the website to a 3rd party hosting with a 3rd party place who build the web site.

likely there is no contact with the stuff they use for development of those medical devices.

Companies are cutting corners all the time. Outsourcing IT support and web site maintenance, so it doesn't surprise me they don't know their own sites are serving up malware.

And it all rolls downhill. The company running their web site runs 5,000 sites with two stressed out staff and can't keep up with sites that get boned. The host probably has thousands of domains and they don't have the staff to check on all their customer sites.

So all this shit falls on a handful of people who are overworked and underpaid by management who don't give a crap about anything but getting their bonus and boning the HR director.

As I understand, medical hardware was not the target. This is plain malware nesting in plain vulnerable software. The company happens to be in the medical field, the firmware for their product does not seems to have been infected.

Back in the day, when I had the first pre-802.11b device at the hospital I worked at, I helped a bit with testing medical devices for interference from wireless networking equipment.

Almost everything was fine except for some respirators, which went kerplooie when a device was within about 2 feet.

Talking to the manufacturer, they kept saying how they had a medical device exemption from the FCC for radio frequency interference. That's meant to shield outbound RF, but transmitters are good antennas and all.

The server is running II6 so the OS is probably Windows Server 2003. The site is built on ASP.NET. The IP address is registered to the company, so they're probably running their own in-house data center. My guess is they don't have anyone in IT that actually knows what the hell they are doing, which is typical of Windows shops thanks to bean counters and short-sighted management.